user should sign off automatically after few minute, like 20-30 minute? and get back to the login page, even if they doing something on website, i'm using mvc5.
can IIS overwrite our web.config's session timeout changes ?
Identity server provides you with everything you need to handle session length and a variety of other features to suit your needs. Take a look at the following guide that will get you started in understanding identity server.
The timeout of each user gets checked against the identity server security store and you can renew / revoke access tokens as needed.